Microsoft Windows RT Jailbroken

The researcher has revealed that the vulnerability that allowed for the jailbreak is present in the Windows Kernel that found its way into the ARM port as well. “Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible”, Rokr wrote in a blog post.

The vulnerability can be exploited through memory manipulation and it was all possible after the researcher stumbled upon a “byte that represents the minimum signing level.” Once the vulnerability is exploited the Windows RT tablet allowed for execution of ARM compiled desktop apps. The jailbreak will only work with ARM based applications and x86 apps can’t be executed.

Finding the vulnerability was tough as unsigned binaries are not allowed to execute on ARM and most of the apps on the app store don’t have the security context that is needed to attach to other processes. But, Microsoft has provided Visual Studio 2012 Remote Tools part of which is a remote debugger, which when executed as an Administrator allows one to attach to the user’s CSRSS process and go on with memory manipulation as desired.

The researcher notes “CSRSS contains a lot of calls to the vulnerable NtUserSetInformationThread function, including some that use the right parameters to exploit it.”

This exploit may very well increase the productivity and usability of the Windows RT but, considering that restricting desktop apps on the ARM based tablet was a conscious call by Microsoft to increase battery life, users who go about jailbreaking their devices may end up with reduced battery backup on their Windows RT.